PRINCIPLES OF PERSONAL DATA PROCESSING

Protection of personal data

INFORMATION ON PERSONAL DATA PROCESSING IN GANSA a.s.

GANSA a.s. hereby informs on the manner and extent of processing of personal data of employees, job seekers, suppliers, purchasers or customers etc. (hereinafter referred to as “natural persons”), and the scope of the data entity’s rights related to the processing of their personal data, which is processed on the basis of GANSA a.s. internal directive on the Principles of Personal Data Protection (hereinafter referred to as “Principles of Personal Data Protection”).

These principles govern, within the meaning of Article 12 et seq. EU Regulation No. 2016/679 on the Protection of Personal Data, as amended (hereinafter the “GDPR Regulation”), the obligation of the Data Controller to provide the data entity with the following information for the protection of personal data obtained from the data entity specified in Article 13 or 14 of the GDPR Regulation, in particular:

GANSA collects or otherwise processes, in the course of its business or other activities, the following personal data of natural persons with who GANSA comes into contact and which can be categorized as follows:

(business name, address of the place of business, billing address, if different, ID number, tax ID (for a natural person, it consists of the personal identification number of the natural person available from public registers)

c) Descriptive personal data of natural persons

(education, previous practice (for correct salary calculation), type of pension received (for correct calculation of monthly tax advance payments according to social security regulations), health insurance company (for health insurance), size of work clothes and shoes, photo (e.g for use in passport format as identification data on identification cards when entering)

d) Information on other natural persons

(personal data of family members (e.g. the number of children in the case of employees, to the extent required by special regulations, in particular in the tax area), the private telephone number of a family member (to be used as an employee contact for the necessary needs of the employer or in need)

e) Other data

(information on completed education, courses and trainings, the course of previous employment and work activities, health records related to health insurance, records on health restrictions and preventive examinations, social records including data from the system of material security (SHZ), military records kept (to the extent of requirements of special regulations), bank details (e.g. for the purpose of paying wages or other performance on the basis of an agreed contract)

f) Sensitive personal data of natural persons

(health condition)

3. Purposes of personal data processing

GANSA STAVBY is authorized to collect or otherwise process the aforementioned personal data as their Controller for the specified purpose only, wherein the basic purposes of personal data processing within GANSA STAVBY are:
– Ensuring the fulfilment of individual entities of business and other activities, as they are primarily kept in the Commercial and Trade Register or on the basis of other licences necessary for the operation of the business;
– Ensuring the fulfilment of supplier-customer relationships based on the contracts concluded;
– Ensuring compliance with obligations in the context of employment and other employer relations;
– Compliance with statutory tax obligations and other legal obligations;
– Operation of CCTV and other monitoring systems on the company premises necessary for the protection and safety of operation;
– Debt recovery and other dispute resolution.
According to Article 6 of the GDPR Regulation, the Data Controller only processes accurate personal data that they have obtained in accordance with the applicable law, wherein they collect and process such personal data only to the appropriate extent and for a specified period of time.

GANSA is authorized to collect or otherwise process the aforementioned personal data as their Controller for the specified purpose only, wherein the basic purposes of personal data processing within GANSA are:

– Ensuring the fulfilment of individual entities of business and other activities, as they are primarily kept in the Commercial and Trade Register or on the basis of other licences necessary for the operation of the business;

– Ensuring the fulfilment of supplier-customer relationships based on the contracts concluded;

– Ensuring compliance with obligations in the context of employment and other employer relations;

– Compliance with statutory tax obligations and other legal obligations;

– Operation of CCTV and other monitoring systems on the company premises necessary for the protection and safety of operation;

– Debt recovery and other dispute resolution.

According to Article 6 of the GDPR Regulation, the Data Controller only processes accurate personal data that they have obtained in accordance with the applicable law, wherein they collect and process such personal data only to the appropriate extent and for a specified period of time.

4. Legal reasons for personal data processing

According to Article 6 of the GDPR Regulation, GANSA, as the Data Collector, may process personal data of natural persons as data entities only for the purposes of the following legal reasons for processing:

(a) upon an explicit consent given by the data entity to GANSA STAVBY as the Controller (i.e. due to a previously provided specific and freely expressed consent given only if the particular personal data processing is not justified by other legal reasons for processing referred to in (b) to (f));

(b) their processing is necessary for the performance of a contract concluded by GANSA STAVBY or for the implementation of measures taken prior to the conclusion of the contract upon the request of the data entity (i.e. due to contractual relations being negotiated or negotiated and their performance in order to ensure the operation of the plant);

(c) the processing is necessary for the fulfilment of the legal obligation which GANSA STAVBY, as the Controller, is subject to (i.e. due to accounting and tax regulations, labour law, social security law, etc.);

(d) the processing is necessary for protecting the vital interests of the data entity;

(e) if the processing is necessary for the fulfilment of a task performed in the public interest or during the exercise of official authority entrusted to the Controller;

f) the processing is necessary for the purposes of GANSA’s legitimate interest as the Controller (i.e. for the protection of property and persons, recovery of claims, occupational health and safety, etc.).

5. Recipients and processors of personal data

GANSA processes the personal data of Data Entities solely for the purpose of operating its plant. In the framework of GANSA, personal data are processed primarily by its employees authorized to keep a specific database for certain purposes of the employer.

The Data Controller is entitled to pass on personal data only if they are obliged to do so according to generally binding legal regulations.

Unless otherwise provided by applicable law, GANSA may, as a personal data controller, transfer personal data to other data controllers only if it has consent for such transfer from the data entity.

In addition, GANSA may use a Processor to process personal data for the purpose of personal data processing, wherein the responsibility for such contractual activities shall be governed by a personal data processing agreement. In addition, GANSA, as the Controller, shall inform that it does not pass on the personal data of the employees abroad or does not use it for marketing purposes.

6. The rights and obligations of the data entities

The data entity is entitled to:

access personal data, i.e. the data entity has the right to obtain confirmation from the Data Controller whether personal data relating to him/her are processed and if so, he/she has the right to access this personal data and information about them (Article 15 of the GDPR Regulation);
correction of the personal data, i.e. the data entity is entitled to correction of inaccurate personal data relating to him/her or supplementing any incomplete personal data, which shall be made by the Data Controller without undue delay (Article 16 of the GDPR Regulation);
deletion of the personal data (the right to be forgotten), i.e. the data entity is entitled to deletion of personal data not relating to him/her, which shall be made by the Data Controller without undue delay, if any of the reasons in accordance with Article 17 of the GDPR Regulation exist;
limitation of the processing, i.e. the data entity is entitled to limitation of personal data processing in the cases specified in Article 18 of the GDPR Regulation, which shall be made by the Data Controller;
The Data Controller has the notification obligation, i.e. The Data Controller shall notify individual recipients, who the personal data have been disclosed to, of any corrections or deletions of the personal data or limitation on the processing, except for the cases where this proves impossible or requires disproportionate effort (Article 19 of the GDPR Regulation);
data portability, i.e. the data entity has the right to obtain personal data relating to him/her which he/she has provided to the Controller in a structured, commonly used and machine-readable format, and the right to transfer such data to another Controller if the processing is carried out automatically and is based on the consent referred to in Article 6 (1) (a) or Article 9 (2) (a), or is based on a contract pursuant to Article 6 (1) (b) of the GDPR Regulation (Article 20 of the GDPR Regulation);
make an objection, i.e. the data entity has the right to make an objection, at any time, against the processing of personal data relating to him/her under Article 6 (1) (e) or (f) of the GDPR Regulation (Article 21 of the GDPR Regulation);
not being subject to automated decision making, i.e. the data entity has the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects or a significant impact on him/her (Article 22 of the GDPR Regulation);
notification of cases of a personal data breach, i.e. the data entity has the right to be notified by the Data Controller, without undue delay, of a personal data breach, if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34 of the GDPR Regulation);
file a complaint to the supervisory authority pursuant to Article 77 of the GDPR Regulation;
the right to be informed of monitoring the Data Entity by GANSA, as the Controller;
the right to compensation;
the right to withdraw the consent to the processing of personal data at any time.
In the event of a change in his/her personal data, the Data Entity is further obliged to report this change to GANSA, a.s. as the Data Controller.

7. Limitations on personal data processing

Personal data are stored with the Data Controller for the necessary period of time, i.e. the period stipulated by law or during the existence of a contractual relationship or a legitimate interest (e.g. for the period of limitation of rights determined by the rules of civil law).

At the same time, the Data Controller declares that he/she has adopted internal rules for archiving and shredding documents.

8. Entry into force

This information on personal data processing in GANSA comes into force on May 25, 2018.